Techniques for sharing network security event information

1. An apparatus comprising instructions stored on non-transitory, computer-readable media, the instructions when executed to cause at least one computer to: receive information representing a possible threat to a first network; receive information representing a profile associated with the first network; access a stored database having records of possible threats to multiple, diverse networks; access a stored database having information representing profiles associated with respective, diverse networks; determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the information, are associated with profiles that match the profile associated with the first network in at least one characteristic; transmit a notification message to a destination associated with a second network from the subset to identify the possible threat to the first network; and sanitize information conveyed by the notification message to the destination, by formatting said notification message in a manner to remove IP addresses corresponding to one or more of (i) the first network or (ii) one of the respective, diverse networks from information included in the notification message that represents one or more possible threats to one or more of (i) the first network or (ii) one of the respective, diverse networks.

2. The apparatus of claim 1 , wherein the instructions when executed are to further cause the at least one computer to: responsive to the determination, rank the possible threat to the first network; and transmit a notification message to a destination associated with the first network, the notification message to identify the possible threat to the first network.

3. The apparatus of claim 2 , wherein the instructions when executed are to further cause the at least one computer to, responsive to the determination, query a database to determine at least one remedial action associated with the possible threat to the first network, and transmit a notification message to the destination associated with the first network to identify the at least one remedial action.

4. The apparatus of claim 1 , further embodied as one or more servers.

5. The apparatus of claim 4 , wherein the instructions when executed are further to cause the one or more servers to retrieve the information representing the profile associated with the first network from a database maintained by the one or more servers in response to the receipt of the information representing the possible threat to the first network, to thereby receive said information representing the profile associated with the first network.

6. The apparatus of claim 1 , wherein the at least one characteristic includes an industry identifier.

7. The apparatus of claim 1 , wherein the at least one characteristic includes a group membership, and wherein the instructions when executed are further to dynamically determine group membership at a time when the stored database having the records is accessed.

8. The apparatus of claim 1 , wherein the instructions when executed are further to update stored ranking information associated with the records, for at least one of the respective, diverse networks reporting a possible threat determined to be correlated with the possible threat to the first network.

9. The apparatus of claim 8 , wherein the instructions when executed are, responsive to update of stored ranking information associated with the records, to transmit a notification message to a destination associated with a first one of the respective, diverse network that is a member of the subset and that first reported a possible threat determined to be correlated with the possible threat to the first network, and wherein the notification message is to indicate an upgraded threat severity based on the information representing the possible threat to the first network.

10. The apparatus of claim 1 , wherein the instructions when executed are further to receive group membership information for the first network from a network administrator associated with the first network, and further, where the apparatus is to permit each network to have multiple group memberships.

11. The apparatus of claim 1 , wherein the instructions when executed are further to update stored ranking information associated with the records, for at least one of the respective, diverse networks reporting a possible threat determined to be correlated with the possible threat to the first network.

12. An apparatus comprising instructions stored on non-transitory, computer-readable media, the instructions when executed to cause at least one computer to: receive information representing a possible threat to a first network; receive information representing a profile associated with the first network; access a stored database having records of possible threats to multiple, diverse networks; access a stored database having information representing profiles associated with respective, diverse networks; determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the information, are associated with profiles that match the profile associated with the first network in at least one characteristic; responsive to the determination, rank the possible threat to the first network; and transmit a notification message to a destination associated with a third network to identify the possible threat to the first network, wherein the third network is associated with a profile that in the at least one characteristic matches (a) the profile associated with the first network and (b) each profile associated with a network corresponding to the subset; determine the correlation by identifying at least one first internet protocol (IP) address associated with the possible threat to the first network and also with the possible threats to the subset of one or more of the respective, diverse networks; wherein the information representing the possible threat to the first network and the possible threats to the one or more respective, diverse networks in the subset also collectively include one or more second IP addresses corresponding to one or more of (i) the first network or (ii) one of the respective, diverse networks; and sanitize information conveyed by the notification message to the destination, by formatting said notification message in a manner where no second IP address is included.

13. A method, comprising: receiving, with at least one computer, information representing a possible threat to a first network; receiving, with the at least one computer, information representing a profile associated with the first network; accessing, with the at least one computer, a stored database having records of possible threats to multiple, diverse networks; accessing, with the at least one computer, a stored database having information representing profiles associated with respective, diverse networks; using the at least one computer to determine from the records a correlation of the possible threat to the first network with possible threats to a subset of one or more of the respective, diverse networks, the subset restricted to be one or more of the respective, diverse networks which, according to the stored database having the information, are associated with profiles that match the profile associated with the first network in at least one characteristic; responsive to the determination, ranking the possible threat to the first network; transmitting a notification message to a destination associated with a third network to identify the possible threat to the first network, wherein the third network is associated with a profile that in the at least one characteristic matches (a) the profile associated with the first network and (b) each profile associated with a network corresponding to the subset, and the information representing the possible threat to the first network and the possible threats to the one or more respective, diverse networks in the subset also collectively include one or more second internet protocol (IP) addresses corresponding to one or more of (i) the first network or (ii) one of the respective, diverse networks; identifying at least one first IP address associated with the possible threat to the first network and associated with the possible threats to the subset of one or more of the respective, diverse networks; and sanitizing information conveyed by the notification message to the destination, by formatting said notification message in a manner where no second IP address is included.

14. The method of claim 13 , wherein the at least one characteristic includes a group membership, and wherein the method further comprises receiving group membership information for the first network from a network administrator associated with the first network, and further, wherein the method further comprises permitting each network to have multiple group memberships, and dynamically determining group membership at a time of accessing the stored database having the records.

15. The method of claim 13 , further comprising updating stored ranking information associated with the records, for at least one of the respective, diverse networks reporting a possible threat determined to be correlated with the possible threat to the first network.

16. The method of claim 13 , further comprising, responsive to update of stored ranking information associated with the records, transmitting a notification message to a destination associated with a first one of the respective, diverse network that is a member of the subset and that first reported a possible threat determined to be correlated with the possible threat to the first network.